11 WORKING WITH COMPUTER ACCOUNTS Chapter 8

Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW  Describe the process of adding a computer to an Active Directory domain  Create and manage computer objects  Troubleshoot computer accounts  Describe the process of adding a computer to an Active Directory domain  Create and manage computer objects  Troubleshoot computer accounts

Chapter 8: WORKING WITH COMPUTER ACCOUNTS3 UNDERSTANDING COMPUTER OBJECTS  Logical representation in Active Directory of the physical computer object  Can be granted permissions to other objects and be subject to group policy  Can be made a member of a group  Logical representation in Active Directory of the physical computer object  Can be granted permissions to other objects and be subject to group policy  Can be made a member of a group

Chapter 8: WORKING WITH COMPUTER ACCOUNTS4 ADDING COMPUTERS TO A DOMAIN  Step 1: Create a computer account in Active Directory  Step 2: Join the computer to the domain  Step 1: Create a computer account in Active Directory  Step 2: Join the computer to the domain

Chapter 8: WORKING WITH COMPUTER ACCOUNTS5 CREATING COMPUTER OBJECTS  Computer object must exist in Active Directory before computer can be joined to the domain.  Computer object can be created using Active Directory Users and Computers or a command-line tool such as Dsadd.  Computer account can also be created during the domain joining process.  Computer object must exist in Active Directory before computer can be joined to the domain.  Computer object can be created using Active Directory Users and Computers or a command-line tool such as Dsadd.  Computer account can also be created during the domain joining process.

Chapter 8: WORKING WITH COMPUTER ACCOUNTS6 CREATING COMPUTER OBJECTS USING ACTIVE DIRECTORY USERS AND COMPUTERS

Chapter 8: WORKING WITH COMPUTER ACCOUNTS7 CREATING COMPUTER OBJECTS USING DSADD.EXE  Allows computer account creation to be scripted  Provides a mechanism to create large amounts of computer accounts at one time  Allows computer account creation to be scripted  Provides a mechanism to create large amounts of computer accounts at one time

Chapter 8: WORKING WITH COMPUTER ACCOUNTS8 CREATING COMPUTER OBJECTS USING NETDOM.EXE  Command-line utility  Simpler to use than Dsadd  Must be extracted from the support.cab archive in the \Support\Tools folder on the Windows Server 2003 installation CD  Command-line utility  Simpler to use than Dsadd  Must be extracted from the support.cab archive in the \Support\Tools folder on the Windows Server 2003 installation CD

Chapter 8: WORKING WITH COMPUTER ACCOUNTS9 JOINING COMPUTERS TO A DOMAIN

Chapter 8: WORKING WITH COMPUTER ACCOUNTS10 JOINING A DOMAIN USING NETDOM.EXE  Allows computers to be joined to the domain from a command line  Allows scripts to be developed to streamline the process of joining a computer to a domain  Allows computers to be joined to the domain from a command line  Allows scripts to be developed to streamline the process of joining a computer to a domain

Chapter 8: WORKING WITH COMPUTER ACCOUNTS11 CREATING COMPUTER OBJECTS WHILE JOINING THE DOMAIN

Chapter 8: WORKING WITH COMPUTER ACCOUNTS12 JOINING A DOMAIN DURING OPERATING SYSTEM INSTALLATION

Chapter 8: WORKING WITH COMPUTER ACCOUNTS13 LOCATING COMPUTER OBJECTS  The Computers container  The Domain Controllers OU  The Computers container  The Domain Controllers OU

Chapter 8: WORKING WITH COMPUTER ACCOUNTS14 LOCATING DOMAIN CONTROLLER COMPUTER OBJECTS  Computer accounts for domain controllers are placed in the system-created domain controllers OU by default.  The Default Domain Controllers Policy GPO is applied to the container.  Computer accounts for domain controllers are placed in the system-created domain controllers OU by default.  The Default Domain Controllers Policy GPO is applied to the container.

Chapter 8: WORKING WITH COMPUTER ACCOUNTS15 LOCATING OTHER COMPUTER OBJECTS  Non–domain-controller computer accounts are placed in the Computers system-created container by default.  Container does not support group policy  Non–domain-controller computer accounts are placed in the Computers system-created container by default.  Container does not support group policy

Chapter 8: WORKING WITH COMPUTER ACCOUNTS16 REDIRECTING COMPUTER OBJECTS  Allows an alternative default location for computer accounts to be specified.  Use the Redircmp.exe command-line utility.  Works only on Windows Server 2003 domain functional level.  Can be overridden by explicit computer account creation commands.  Allows an alternative default location for computer accounts to be specified.  Use the Redircmp.exe command-line utility.  Works only on Windows Server 2003 domain functional level.  Can be overridden by explicit computer account creation commands.

Chapter 8: WORKING WITH COMPUTER ACCOUNTS17 MANAGING COMPUTER OBJECTS  Computer objects have properties.  Can be viewed and configured through Active Directory Users and Computers  Computer objects have properties.  Can be viewed and configured through Active Directory Users and Computers

Chapter 8: WORKING WITH COMPUTER ACCOUNTS18 MODIFYING COMPUTER OBJECT PROPERTIES

Chapter 8: WORKING WITH COMPUTER ACCOUNTS19 DELETING, DISABLING, AND RESETTING COMPUTER OBJECTS Deleting  Removes the computer account from Active Directory Disabling  Prevents the computer from being used to log on to the domain Resetting  Reestablishes relationship between a computer and Active Directory Deleting  Removes the computer account from Active Directory Disabling  Prevents the computer from being used to log on to the domain Resetting  Reestablishes relationship between a computer and Active Directory

Chapter 8: WORKING WITH COMPUTER ACCOUNTS20 DELETING COMPUTER OBJECTS  Manually through Active Directory Users and Computers  Automatically by changing the domain membership on the computer  Using a command-line tool such as Dsrm  Manually through Active Directory Users and Computers  Automatically by changing the domain membership on the computer  Using a command-line tool such as Dsrm

Chapter 8: WORKING WITH COMPUTER ACCOUNTS21 DISABLING COMPUTER OBJECTS

Chapter 8: WORKING WITH COMPUTER ACCOUNTS22 RESETTING A COMPUTER OBJECT  Necessary when replacing or upgrading a computer system  Allows an appropriately named new system to use an existing computer account  Necessary when replacing or upgrading a computer system  Allows an appropriately named new system to use an existing computer account

Chapter 8: WORKING WITH COMPUTER ACCOUNTS23 MANAGING REMOTE COMPUTERS  Allows you to perform management tasks across the network  Actually a shortcut to the Computer Management MMC snap-in  Allows you to perform management tasks across the network  Actually a shortcut to the Computer Management MMC snap-in

Chapter 8: WORKING WITH COMPUTER ACCOUNTS24 MANAGING COMPUTER OBJECTS FROM THE COMMAND LINE Dsmod  Used to modify existing computer account objects Dsrm  Used to remove computer account objects from Active Directory Dsmod  Used to modify existing computer account objects Dsrm  Used to remove computer account objects from Active Directory

Chapter 8: WORKING WITH COMPUTER ACCOUNTS25 MANAGING COMPUTER OBJECT PROPERTIES WITH DSMOD.EXE  Can be used to modify properties of existing computer account objects  Useful for creating scripts and batch files to automate changes  Cannot be used to create or delete computer account objects  Can be used to modify properties of existing computer account objects  Useful for creating scripts and batch files to automate changes  Cannot be used to create or delete computer account objects

Chapter 8: WORKING WITH COMPUTER ACCOUNTS26 DELETING COMPUTER OBJECT PROPERTIES WITH DSRM.EXE  Can be used to delete computer account objects from the command line  Requires confirmation of deletion unless the - noprompt switch is used  Can be used to delete computer account objects from the command line  Requires confirmation of deletion unless the - noprompt switch is used

Chapter 8: WORKING WITH COMPUTER ACCOUNTS27 TROUBLESHOOTING COMPUTER ACCOUNTS: PROBLEMS  Messages at logon indicate that a domain controller cannot be contacted, that the computer account might be missing, or that the trust between the computer and the domain has been lost.  Error messages or entries in an event log indicate similar problems or suggest that passwords, trusts, secure channels, or relationships with the domain or a domain controller have failed.  A computer account is missing in Active Directory.  Messages at logon indicate that a domain controller cannot be contacted, that the computer account might be missing, or that the trust between the computer and the domain has been lost.  Error messages or entries in an event log indicate similar problems or suggest that passwords, trusts, secure channels, or relationships with the domain or a domain controller have failed.  A computer account is missing in Active Directory.

Chapter 8: WORKING WITH COMPUTER ACCOUNTS28 TROUBLESHOOTING COMPUTER ACCOUNTS: SOLUTIONS  Reset the computer account in Active Directory.  If the computer account is missing, create a computer account.  If the computer still belongs to the domain, you must remove it from the domain by changing its membership to a workgroup.  Rejoin the computer to the domain.  Reset the computer account in Active Directory.  If the computer account is missing, create a computer account.  If the computer still belongs to the domain, you must remove it from the domain by changing its membership to a workgroup.  Rejoin the computer to the domain.

Chapter 8: WORKING WITH COMPUTER ACCOUNTS29 SUMMARY  A computer object represents a specific system on the network.  To add a computer to a domain, you must create a computer object for it in Active Directory and then join the physical computer to the object.  To create computer objects, you can use the Active Directory Users and Computers console, the Dsadd utility, or the Netdom utility.  A computer object represents a specific system on the network.  To add a computer to a domain, you must create a computer object for it in Active Directory and then join the physical computer to the object.  To create computer objects, you can use the Active Directory Users and Computers console, the Dsadd utility, or the Netdom utility.

Chapter 8: WORKING WITH COMPUTER ACCOUNTS30 SUMMARY (continued)  Computer objects for non–domain controllers are placed in the Computers container by default.  Computer object have a SID that Active Directory uses to reference the computer in its group memberships and other permissions.  The typical steps for troubleshooting a computer object problem include creating or resetting the object, removing the computer from the domain, and rejoining it to the domain.  Computer objects for non–domain controllers are placed in the Computers container by default.  Computer object have a SID that Active Directory uses to reference the computer in its group memberships and other permissions.  The typical steps for troubleshooting a computer object problem include creating or resetting the object, removing the computer from the domain, and rejoining it to the domain.

Chapter 8: WORKING WITH COMPUTER ACCOUNTS31